Asterisk Project Security Advisory - AST-2014-007

Product

Asterisk

Summary

Exhaustion of Allowed Concurrent HTTP Connections

Nature of Advisory

Denial Of Service

Susceptibility

Remote Unauthenticated Sessions

Severity

Moderate

Exploits Known

No

Reported On

May 25, 2014

Reported By

Richard Mudgett

Posted On

May 9, 2014

Last Updated On

June 12, 2014

Advisory Contact

Richard Mudgett <rmudgett AT digium DOT com>

CVE Name

CVE-2014-4047



Description

Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked.


Resolution

The patched versions now have a session_inactivity timeout option in http.conf that defaults to 30000 ms. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support.


Affected Versions

Product

Release Series


Asterisk Open Source

1.8.x

All versions

Asterisk Open Source

11.x

All versions

Asterisk Open Source

12.x

All versions

Certified Asterisk

1.8.15

All versions

Certified Asterisk

11.6

All versions


Corrected In

Product

Release

Asterisk Open Source

1.8.28.1, 11.10.1, 12.3.1

Certified Asterisk

1.8.15-cert6, 11.6-cert3


Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff

Asterisk 1.8

http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff

Asterisk 11

http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff

Asterisk 12

http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff

Certified Asterisk 1.8.15

http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff

Certified Asterisk 11.6



Links

https://issues.asterisk.org/jira/browse/ASTERISK-23673


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-007.pdf and http://downloads.digium.com/pub/security/AST-2014-007.html


Revision History

Date

Editor

Revisions Made

May 9, 2014

Richard Mudgett

Document Creation

June 12, 2014

Matt Jordan

Added CVE


Asterisk Project Security Advisory - AST-2014-007
Copyright © 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.